RFC: Consider changing how we accept third-party plugins

[laurent22]

Currently, the Joplin application gets the list of plugins from our GitHub repository, and that repository is automatically built based on the third-party plugins that have been published to npm. We generally don't do any checks on these plugins except for those that are marked as "recommended", which are those developed by the team or long term contributors.

In order to make it safer for users to install plugins, it would be good to have a review process. Many plugins are relatively simple and we have perhaps 3 or 4 updates per week so it should be doable. The advantage is that we can guarantee that all reviewed plugins are safe to install, which would be interesting to users who no longer need to limit themselves to recommended plugins only.

To minimise changes to the existing process, we could integrate the review process in that way:

• Publishing to npm will no longer be relevant
• Instead, we would check the code directly on the repository
  • The code itself
  • But also the dependencies - we should only accept dependencies to well-known, safe packages
• If all is good, we record the repository url and commit that we've reviewed
• When building the plugin repository, we would automatically:
  • Fetch the third-party repositories at the previously recorded commit
  • Build the plugin
  • Add the .jpl to our plugin repository

Once we have the .jpl the rest of our process will be identical.

Questions

• What to do about plugins that we have not yet reviewed - should we include them and mark them as "not reviewed". Or exclude them completely?
• How about plugins that are not published to any public repository? (not sure if they exist)
• For review, we should have some tool to generate a diff between the last reviewed commit and the latest one
• We should probably have a process to allow the plugin developer to tell us when their plugin is ready for review, otherwise we may fetch a commit that's still under development

[Shbhom]

Hi, I'm Shubhom Srivastava, I liked the problem this project is trying to solve. But I'm thinking how are going to do the code review. Since, I'm still in college I don't know different code review tools used, in my current internship we usually sit in a meet with a senior and do the code review. what I'm thinking to do for this problem is building a CLI tool like Heroku which has similar commands to git, using this we can do get two things done

1. VCS support for each change in code for the 3rd party plugin
2. we can create a clone of serverless deployment sites like vercel which builds the code they get in an isolated docker container. so our requirement for a trusted server to build plugins will also be full filed.
3. and we can use middlewares between the plugin authors pc and our git server which would apply logic for code review.

Currently working on the code review part, @laurent22 can you review this proposal ?